Links

Share project

fwknop implements an authorization scheme known as Single Packet Authorization (SPA) for strong service concealment. SPA requires only a single packet which is encrypted, non-replayable, and authenticated via an HMAC in order to communicate desired access to a service that is hidden behind a firewall in a default-drop filtering stance. The main application of SPA is to use a firewall to drop all attempts to connect to services such as SSH in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) more difficult. Any service that is concealed by SPA naturally cannot be scanned for with Nmap. The fwknop project supports three different firewalls: iptables on Linux systems, pf on OpenBSD, and ipfw on FreeBSD and Mac OS X.

Recent Releases

2.6.909 Jun 2016 12:07major feature:
* Added support for the SHA3 "Keccak" algorithm (specifically SHA3_256 and SHA3_512) for SPA HMAC and digest checking.
* Added support for libnetfilter_queue so that fwknopd can acquire SPA packets via the NFQ target. This feature is enabled with a new command line switch '--enable-nfq-capture' for the configure script, and libpcap is not required in this mode.
* Added support for deriving the source IP from the X-Forwarded For HTTP header when SPA packets are sent over HTTP connections.

2.6.823 Dec 2015 22:05major feature:
Major new feature to allow fwknop to integrate with third-party devices and software. This is done with a new command "open/close" cycle capability. Add include directive to access.conf.

2.6.624 Apr 2015 04:31major feature:
Add the ability for fwknopd to function as an generic SPA gateway. This allows scenarios such as the fwknopd system providing DHCP addresses to client systems, but those systems would be blocking by default from accessing the broader Internet until a valid SPA packet is sent to the gateway. Bug fix when compiled with --enable-udp-server to not include pcap.h, which is likely not installed whenever libpcap is also not installed.

2.6.517 Dec 2014 13:18major feature:
This release fixes one bug in fwknopd found through AFL fuzzing (a local-only crash in fwknopd upon importing a maliciously constructed digest.cache file which is only writeable by root), and adds a new DESTINATION keyword to the access.conf file (from Grant Pannell).

2.6.417 Nov 2014 13:33major feature:
Added an optional UDP listener mode for fwknopd so that libpcap can be removed as a dependency. Added support for firewalld on recent Fedora, RHEL, and CentOS systems. Replaced all system() and popen() calls with execvpe() with no usage of the environment (a defensive measure). Added support for the 'American Fuzzy Lop' fuzzer from Michal Zalewski.

2.6.330 Jul 2014 11:57minor feature:
SSL support for IP resolution lookups. GPG full fingerprint comparison criteria instead of the abbreviated signature strings. A new SPA packet fuzzer used by the test suite. libfiu fault injection library support (also used by the test suite)